From 04b4ec3866446df45dab628782702cd1444c3575 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= Date: Wed, 28 Oct 2020 08:26:50 -0500 Subject: [PATCH] Identify HSMs using labels instead of Slot ID This patch adds support for two new options in barbican.conf for the PKCS#11 backend plugin: [p11_crypto]token_label and [p11_crypto]token_serial_number by adding two new parameters to the Barbican deployment BarbicanPkcs11CryptoTokenSerialNumber and BarbicanPkcs11CryptoTokenLabel. This patch also simplifies the use of barbican-manage to generate the MKEK and PKEK in the HSM backend by using the values provided in barbican.conf instead of duplicating them on the command line. For the Thales Luna Network device, this patch uses the label parameters to identify the partition to be used. Because we are using labels we no longer need to write the runtime generated Slot ID of the HA group into hieradata. Depends-On: I4e86e73bbdef0e16d3699cec1cc8f7e17dfb643b Change-Id: Id05acb6516daa62279c9aade41256bcec7c5fce7 --- .../barbican-api-container-puppet.yaml | 65 +++++-------------- ...barbican-backend-pkcs11-crypto-puppet.yaml | 14 +++- .../barbican-backend-pkcs11-lunasa.yaml | 24 +++---- 3 files changed, 43 insertions(+), 60 deletions(-) diff --git a/deployment/barbican/barbican-api-container-puppet.yaml b/deployment/barbican/barbican-api-container-puppet.yaml index e4626b9bb7..fb2b2ca86c 100644 --- a/deployment/barbican/barbican-api-container-puppet.yaml +++ b/deployment/barbican/barbican-api-container-puppet.yaml @@ -67,7 +67,7 @@ parameters: type: string default: '' BarbicanPkcs11CryptoLogin: - description: Password to login to PKCS11 session + description: Password (PIN) to login to PKCS#11 session type: string hidden: true default: '' @@ -80,9 +80,17 @@ parameters: type: string default: '' BarbicanPkcs11CryptoSlotId: - description: Slot Id for the HSM + description: Slot Id for the PKCS#11 token to be used type: string default: '0' + BarbicanPkcs11CryptoTokenSerialNumber: + description: Serial number for PKCS#11 token to be used + type: string + default: '' + BarbicanPkcs11CryptoTokenLabel: + description: Label for PKCS#11 token to be used + type: string + default: '' BarbicanPkcs11CryptoHMACKeyType: description: Cryptoki Key Type for Master HMAC key type: string @@ -168,7 +176,7 @@ conditions: thales_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]} atos_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]} lunasa_hsm_enabled: {equals: [{get_param: BarbicanPkcs11CryptoLunasaEnabled}, true]} - thales_or_atos_or_lunasa_hsm_enabled: + hsm_enabled: or: - thales_hsm_enabled - atos_hsm_enabled @@ -427,7 +435,7 @@ outputs: - null deploy_steps_tasks: if: - - thales_or_atos_or_lunasa_hsm_enabled + - hsm_enabled - list_concat: - if: @@ -478,24 +486,17 @@ outputs: - map_merge: - {get_param: LunasaVars} - lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin} + - lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel} - map_merge: - {get_param: LunasaVars} - lunasa_client_pin: {get_param: BarbicanPkcs11CryptoLogin} + - lunasa_ha_label: {get_param: BarbicanPkcs11CryptoTokenLabel} - lunasa_client_ip: str_replace: template: "{{$NETWORK_ip}}" params: $NETWORK: {get_param: LunasaClientIPNetwork} - - - name: set the slot id in hieradata - include_role: - name: tripleo_hieradata - tasks_from: ansible_hieradata.yml - vars: - hieradata_ansible_data: - barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: "{{ lunasa_ha_slot }}" - when: lunasa_ha_slot is defined - null - null docker_config: @@ -562,23 +563,11 @@ outputs: - ' ' - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage" - {get_attr: [BarbicanApiLogging, cmd_extra_args]} - - "hsm check_mkek --library-path" - - {get_param: [BarbicanPkcs11CryptoLibraryPath]} - - "--slot-id" - - {get_param: [BarbicanPkcs11CryptoSlotId]} - - "--passphrase" - - {get_param: [BarbicanPkcs11CryptoLogin]} - - "--label" + - "hsm check_mkek --label" - {get_param: [BarbicanPkcs11CryptoMKEKLabel]} - "|| /usr/bin/barbican-manage" - {get_attr: [BarbicanApiLogging, cmd_extra_args]} - - "hsm gen_mkek --library-path" - - {get_param: [BarbicanPkcs11CryptoLibraryPath]} - - "--slot-id" - - {get_param: [BarbicanPkcs11CryptoSlotId]} - - "--passphrase" - - {get_param: [BarbicanPkcs11CryptoLogin]} - - "--label" + - "hsm gen_mkek --label" - {get_param: [BarbicanPkcs11CryptoMKEKLabel]} - "'" - {} @@ -600,28 +589,10 @@ outputs: - ' ' - - "/usr/bin/bootstrap_host_exec barbican_api su barbican -s /bin/bash -c '/usr/bin/barbican-manage" - {get_attr: [BarbicanApiLogging, cmd_extra_args]} - - "hsm check_hmac --library-path" - - {get_param: [BarbicanPkcs11CryptoLibraryPath]} - - "--slot-id" - - {get_param: [BarbicanPkcs11CryptoSlotId]} - - "--passphrase" - - {get_param: [BarbicanPkcs11CryptoLogin]} - - "--label" + - "hsm check_hmac --label" - {get_param: [BarbicanPkcs11CryptoHMACLabel]} - - "--key-type" - - {get_param: [BarbicanPkcs11CryptoHMACKeyType]} - - "|| /usr/bin/barbican-manage hsm gen_hmac --library-path" - - {get_param: [BarbicanPkcs11CryptoLibraryPath]} - - "--slot-id" - - {get_param: [BarbicanPkcs11CryptoSlotId]} - - "--passphrase" - - {get_param: [BarbicanPkcs11CryptoLogin]} - - "--label" + - "|| /usr/bin/barbican-manage hsm gen_hmac --label" - {get_param: [BarbicanPkcs11CryptoHMACLabel]} - - "--key-type" - - {get_param: [BarbicanPkcs11CryptoHMACKeyType]} - - "--mechanism" - - {get_param: [BarbicanPkcs11CryptoHMACKeygenMechanism]} - "'" - {} - if: diff --git a/deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml b/deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml index 7e0cad26d8..4bbd24f129 100644 --- a/deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml +++ b/deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml @@ -36,7 +36,7 @@ parameters: type: string default: '' BarbicanPkcs11CryptoLogin: - description: Password to login to PKCS11 session + description: Password (PIN) to login to PKCS#11 session type: string hidden: true default: '' @@ -53,9 +53,17 @@ parameters: type: string default: '' BarbicanPkcs11CryptoSlotId: - description: Slot Id for the HSM + description: Slot Id for the PKCS#11 token to be used type: string default: '0' + BarbicanPkcs11CryptoTokenSerialNumber: + description: Serial number for PKCS#11 token to be used + type: string + default: '' + BarbicanPkcs11CryptoTokenLabel: + description: Label for PKCS#11 token to be used + type: string + default: '' BarbicanPkcs11CryptoEncryptionMechanism: description: Cryptoki Mechanism used for encryption type: string @@ -93,6 +101,8 @@ outputs: barbican::plugins::p11_crypto::p11_crypto_plugin_mkek_length: {get_param: BarbicanPkcs11CryptoMKEKLength} barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_label: {get_param: BarbicanPkcs11CryptoHMACLabel} barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: {get_param: BarbicanPkcs11CryptoSlotId} + barbican::plugins::p11_crypto::p11_crypto_plugin_token_serial_number: {get_param: BarbicanPkcs11CryptoTokenSerialNumber} + barbican::plugins::p11_crypto::p11_crypto_plugin_token_label: {get_param: BarbicanPkcs11CryptoTokenLabel} barbican::plugins::p11_crypto::p11_crypto_plugin_encryption_mechanism: {get_param: BarbicanPkcs11CryptoEncryptionMechanism} barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType} barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism} diff --git a/environments/barbican-backend-pkcs11-lunasa.yaml b/environments/barbican-backend-pkcs11-lunasa.yaml index 01c6a7b945..d850b65f52 100644 --- a/environments/barbican-backend-pkcs11-lunasa.yaml +++ b/environments/barbican-backend-pkcs11-lunasa.yaml @@ -1,15 +1,17 @@ -# A Heat environment file to enable the barbican PKCS11 crypto backend with -# a Lunasa HSM. -# Note that barbican needs to be enabled in order to use this. +# A Heat environment file to enable the barbican PKCS#11 crypto backend using +# one or more Thales Luna Network HSMs. +# Note that Barbican needs to be enabled in order to use this. parameter_defaults: # In order to use this backend, you need to uncomment these values and # provide the appropriate values. # - # BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS11 session - # BarbicanPkcs11CryptoSlotId: Slot Id for the HSM. Note that this parameter is only - # strictly required when setting up the Lunasa client in non-HA mode. In HA - # mode, whatever value is placed here will be overridden by the dynamically generated - # slot for the HA group created on the client. + # BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS#11 session + # + # BarbicanPkcs11CryptoTokenLabel: Label for PKCS#11 token to be used. + # For single HSM deployments this value should be the partition label + # that will be assigned to the clients. + # For HA deployments this value should be the label for the HA group. + # BarbicanPkcs11CryptoSlotId: (Optional) Slot Id for PKCS#11 token to be used # BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin # # LunasaClientIPNetwork: (Optional) Network to be used by the controllers @@ -36,13 +38,13 @@ parameter_defaults: # lunasa_client_rotate_cert: (Optional) Set to true to generate a new # client certificate and re-register clients during deployment. # lunasa_hsms: A list of HSMs. When more than one HSM is specified, they - # will be configured as an HA pool. Each entry should specify the + # will be configured as an HA group. Each entry should specify the # following: # - hostname: Hostname for the HSM - # admin_password: admin password for the HSM, used to add a new client. + # admin_password: admin password for the HSM, used to add a new client + # for each controller node. # partition: HSM partition to be assigned to the clients. # partition_serial: serial number for the partition. - # lunasa_ha_label: HA group label Required only for HA mode. resource_registry: OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml